Source: libseccomp Version: 2.5.4-1 Severity: normal X-Debbugs-Cc: [email protected]
Hi! When using Docker in bookworm (current stable) and trying to run containers based on newer distributions (like the recently released Alpine 3.20), they will sometimes attempt to invoke newer syscalls like fchmodat2. Due to the way syscalls that libseccomp does not know about interact with Docker's seccomp profiles, these sometimes get EPERM instead of ENOSYS like they should, which breaks their fallback. Is there any chance of getting these newer syscalls into some version in bookworm? (backports is very acceptable, but it *seems* like this might be appropriate for a stable update too? I very much defer to your wisdom/experience! <3) I think you're probably already way more aware than I am, but from my own look at the changes in the 2.5.5 upstream release, they're pretty minimal (a few typo fixes and the desired syscall table updates [1]), so perhaps 2.5.5 would be appropriate/sufficient and it's not necessary to backport the patch by itself? [1]: https://github.com/seccomp/libseccomp/compare/v2.5.4...v2.5.5 -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash
